First American Financial Exposed Millions of Sensitive Documents

The website of financial services company First American Financial until recently exposed hundreds of millions of documents containing sensitive information, security blogger Brian Krebs reported on Friday.

According to its Wikipedia page, First American Financial is “a leading provider of title insurance and settlement services to the real estate and mortgage industries.”

Krebs learned from Ben Shoval, a real estate developer in Washington state, that a section of First American’s website, firstam.com, had been storing hundreds of millions of title insurance records without proper protection.

This was the result of an insecure direct object reference (IDOR) vulnerability that allowed anyone to access all the documents stored by First American on this section of its site by modifying the value of a parameter in a link pointing to a valid document. For example, if a document is stored at example.com/file001.pdf, changing the URL to example.com/file002.pdf fetches a different document.

Shoval had been having trouble contacting First American when he reached out to Krebs. Their investigation revealed that the company had been exposing roughly 885 million files. The files — the earliest dated 2003 — were apparently online from at least March 2017 until May 25, 2019.

It’s unclear if any unauthorized users accessed the files during this time, but the exposed information could have been highly useful to scammers.

First American has shut down its website in response to the incident and has launched an investigation. “We are currently evaluating what effect, if any, this had on the security of customer information,” the company said.

Dave Farrow, Senior Director of Information Security at Barracuda Networks, described the IDOR flaw as a “very common programming mistake.”

“The result in this case is a trove of very sensitive information that can be used to fuel the next stage of an attack in the form of identity theft, spear phishing or Business Email Compromise (BEC),” Farrow said via email.

“It seems likely that breaches like this will to continue to happen,” Farrow added. “While we must continue improving the security of our applications and systems, that is just the first line of defense. This defense is only as strong as the weakest vendor we share our data with. Or the strongest partner they share our data with. One vendor could be doing a perfect job protecting our privacy. But that doesn’t necessarily stop another vendor from losing the same information that they’re both trying to protect.

“We must implement defense in depth. One line of defense includes reviewing how a malicious person in possession of leaked information may attempt to use it against us or our customers. Account takeovers, wire transfer fraud, and identify theft all come to mind. There appears to be no shortage of creative ways that someone can defraud their fellows these days,” he warned.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.